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Exponentiation makes the difference between the bit-size of this line and the number (<C 2 300 ) of particles in 
the known Universe. The expulsion of exponential time algorithms from Computer Theory in the 60's broke 
its umbilical cord from Mathematical Logic. It created a deep gap between deterministic computation and - 
formerly its unremarkable tools - randomness and non-determinism. Little did we learn in the past decades 
about the power of either of these two basic "freedoms" of computation, but some vague pattern is emerging 
in relationships between them. The pattern of similar techniques instrumental for quite different results in 
this area seems even more interesting. Ideas like multilinear and low-degree multivariate polynomials, Fourier 
transformation over low-periodic groups seem very illuminating. The talk surveyed some recent results. One 
of them, given in a stronger form than previously published, is described below. 

\x\ will denote the length of string x. Let P be the set of fast, i.e. computable in time TfM — \x\ ^\ 
algorithms f(x) on binary strings. [Blum Micali 82, Yao 82] proposed a fast deterministic way to generate 
"nearly perfect" randomness, using the idea of a hard core or hidden bit. They assume certain length 
preserving functions f EP to be one-way (OWF), i.e. infeasible to invert (a non-deterministically easy task). 
Suppose it is hard to compute from f(x) not only x but even its one bit b(x) 6 {±1}, b eP. Moreover, 
assume that even guessing b(x) with any noticeable correlation is infeasible. If / is bijective, /(x) and b(x) 
are both random and appear to be independent to any feasible test, thus increasing the initial amount |x| 
of randomness by one bit. Then, a short random seed x can be transformed into an arbitrary long string 
a(l),a(2), . . .: a(i) = b(f^(x)). Such a passes any feasible randomness test. [Goldreich Levin 89] showed 
that every OWF / has such a hidden bit with security of / and b polynomially related. It also gives more 
details on the definitions below. Here this result is strengthened to yield the same security for / and b. 

Let P be the set of probabilistic algorithms A(x, ui) using coin- flips oj S {0,1}^ and running in av- 
erage over u> time E^T^ ^ = jx] ^. An inverter I 6 P for / attempts to compute from f(x) a list 
of strings containing x. Its success rate sij(n) is the probability of {x 6 {0,1}", ui : x e 7(/(x),w)}. A 
guesser for b : S — >• {±1} on / gP is a P-algorithm G(y,Lu) £ {0, ±1}. Its success rate is SG,bj(n) = 
(E XjU1 G(f(x), uj)b(x)) 2 /E XjtJ G(x, w) 2 , i.e. the inverse sample size needed to notice the correlation with b. The 
security of OWF / or of its hidden bit b is a lower bound of l/s(n) for all I (or G) and big enough n. 

Let us pad a OWF / to /'(x,r) = (y,r), y = /(x); x,y,r g gg. Let 6(x,r) = (-l)<>- r ); Vi = O^IO™" 1 . 
We fix y,u, denote G r — G(y,r,ui) and c(x) = E r &(x, r)G r j ^/E r G 2 . We will build an inverter for /(x) with 
the success probability > c(x) 2 . Due to Cauchy-Schwarz inequality, its overall success rate > sa,bj- 

Note that c(x) (if extended to real vectors) is a generic, up to a constant factor, multilinear function with 
coefficients given by G r . It is the Walsh (Fourier over group Z^) transformation of G r . 

Say c(x) > 0. Then averaging (— l)( x ' r 'G r over > 2n/c(x) 2 random pairwise independent r yields > with 
probability > l-l/2n, and the same for (-l) ( - x ^ r+v ^ G r+Vi = {-l) {x ^G r+Vz (-I)**. Let k > log(2n/c(x) 2 ). 
Take a random matrix R e {0, \} n/k . Then the vectors Rp, p G {0, l} k \ {0 fc } are pairwise independent. 
So, for a fraction > 1 — l/2n of R, sign^ p (— l) xRp GR P+Vi = (— l) Xi . We could thus find X{ for all i with 
probability 1/2 if we knew z = xR. But z is short: we can try all 2 k possible values! 

So, the inverter flips l(u>) < 2n coins until the first and sets k — I + |"log5n]. With 2c(x) 2 chance k is 
large enough. Then for a random R and all i,p it computes gi(p) = Gn p + Vi . It uses Fast Fourier on gi to 
compute hi{z) — 1) ^(p)- The sign of hi(z) is the i-th bit for the z-th member of output list. ■ 
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Using annxi Toeplitz matrix in place of the vector r one can extract i bits from x rather than one. 
According to [GL], this will decrease the security of the bits by a factor of 2\ 

The power of the above theorem (and a weaker one in [GL]) can be seen even in the trivial case f(x) = 0. 
It is an OWF if x has any distribution such that the probability of x is always, say, < 4~\ No relation 
between |a;| and i or other condition is needed. Such "junk" x are much more available than random uniformly 
distributed strings. Having a fixed random r and an unlimited supply of such x, one can keep extracting i 
"nearly perfect," with security 2 l , random bits from each x. In this case the security (of / and thus of b) 
is probabilistic: it holds for functions i.e. algorithms with any oracle. This method requires no additional 
proof and puts much weaker assumptions on the distribution than the original Vazirani result. 

The hidden bit works for any OWF. But only "almost bijections" are known to yield pseudorandom 
generators without crucial security loss. Suppose, however, we have a length preserving / eP with a 
polynomial fraction of y for which x G f^ 1 (y) is hard to find. We may try to convert it into an "almost 
bijection" with the same property. It may be that /'(a, x) — (a, f(x) + ax) (where a is in a finite field and 
slightly longer than x) will always do. 
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